The compliance date for General Data Protection Regulation (GDPR) enacted by the European Union has now officially passed. This means GDPR is now a reality for your company. You’re expected to make significant changes in the way your company processes personal data and responds to data hacks. The 2016 regulations apply to companies in and outside the EU. This means you are required to create or enhance your company’s data protection practices.
Determine If GDPR Applies to Your Company
Before creating or enhancing your company’s data practice, first, determine if GDPR applies to your company. This even outlined in GDPR’s Article 3. Article 3 also gives you an overview of regulations that apply to any company that holds, processes, monitors or controls personal data of EU residents. It doesn’t matter where the processing takes place or the location of the information.
Here are some questions to ask yourself regarding whether GDPR applies to your organization:
- Does your organization have a physical presence in the EU?
- Are you established in the EU?
- Does your company offer services and goods to individuals residing in the EU?
- Does your organization monitor the behavior of individuals living in the EU?
Your organization must comply with GDPR if the answer is yes to any of the posed questions.
Where to Start with GDPR Compliance?
Your best approach to complying with GDPR is with a practical detailed plan to have participants from each key function of your business. Next, follow the steps that will help you comply with GDPR:
- Establish a Working Group or Team GDPR and Data Protection Officer (DPO)
Pick the person who will have the authority to budget and protect data privacy and protection. Also, identify and access all GDPR controls, remediate control deficiencies, conduct training, manage any data breaches and maintain the program.
- Establish Risk, Governance and Compliance Accountability
Determine, categorize and label every type and source of personal data. Inventory assets and applications that transmit, process or store the personal data. In addition, inventory your company’s data processing activities to determine priorities.
Organize and assess all third-party processors that were in place prior to May 2018. This is to identify any processes and agreements you need to modify for GDPR compliance. Screen third-party contractors periodically. You should also maintain all engagement documents that integrate GDPR requirements.
Review, create, update or delete privacy consents, policies, and privacy notices according to GDPR requirements. It’s important to review GDPR controls to assess if they are in compliance with GDPR.
Conduct periodic Data Protection Impact Assessments and continuously inventory data flow sources. These two entities are likely to be high risks to your data subject. You also want to implement appropriate technical and company measures to show your company has considered and included data protection into all processing activities. Use tools to establish, manage and monitor your company’s GDPR program. Include all GDPR requirements in your company’s monitoring and auditing programs. This will evaluate the programs’ effectiveness. Evaluations should be done regularly for any update or needed compliance changes. You want the programs to reflect all changes in operations, regulations, review results and feedback.
- Focus on Privacy Consent and Notices
Review all company privacy notices to determine if they follow GDPR compliance regarding content, timing, delivery and update. This should be done as needed. Also, review how your company seeks, manages and records consent. Updating consent and privacy notices must make them simple, concise, timely and transparent. They must be readily accessed, available, proven and withdrawn as evidence. This means your processing controls and activities must follow the compliance required for data subjects’ rights to rectify, access, object, ensure and portability. For instance, people should be able to easily file a complaint.
- Establish Your Company’s Data Breach Procedure
GDPR requires you do have procedures for responding to data breaches. Your handling of these breaches must involve timely detection, reporting, managing and investigating. You should review and update your data breach procedures to address timing protocols and notification requirements for people and EU Supervisory Authorities.
- Require Awareness Training
Conduct awareness training so that your employees and third-party contractors are aware of your company’s GDPR internal controls and changes impacting data privacy and protection. This can be done by providing periodic GDPR notices to them and training them to reinforce GDPR awareness.
GDPR is a regulation that has a huge impact on a company. You must make several changes to your organization to become or stay GDPR compliant. This isn’t a one-time project. It does require following simple steps to help you avoid large penalties for noncompliance.